Environment

• YugabyteDB Anywhere - 2.18.0 and 2.18.1
• v2.18.x is EOL -link

Issue

In 2.18.0 and 2.18.1, the OIDC runtime settings are not persisted after clicking 'Save' on the 'User Authentication' UI screen.

To get to the screen, as a superadmin navigate to User Management → User Authentication → OIDC Configuration:

The OIDC runtime configurations aren't visible in the UI by default.

You need to set yb.runtime_conf_ui.tag_filter to ["PUBLIC","UIDriven"] for these to appear in the list of flags in the runtime config setting UI.

Resolution

The preferred resolution is to upgrade to version 2.18.2 or later

Overview

yb.runtime_conf_ui.tag_filter itself can’t be set through the UI, so a curl command is needed to set it using the YBA API

Once the settings are complete, another curl command is required to reset yb.runtime_conf_ui.tag_filter

Steps

• Run the following curl command to set the tag filter:

curl --request PUT --url https://${YBA_HOST}/api/v1/customers/${CUUID}/runtime_config/00000000-0000-0000-0000-000000000000/key/yb.runtime_conf_ui.tag_filter --header 'Content-Type: text/plain' --header "X-AUTH-YW-API-TOKEN: ${TOKEN}" --data '["PUBLIC","UIDriven"]'

where:

${YBA_HOST} is the YB Anywhere hostname or ip address

${CUUID} is the cuctomer uuid which can be seen in the user profile

${TOKEN} is the API token generated for your api access

Note that the '00000000-0000-0000-0000-000000000000' is intentional as it denotes the global scope.

The expected return is:

{"success":true}

The following is from a run on an internal system, the values have been purposefully obfuscated.

export YBA_HOST=1.2.3.4
export CUUID=ff1f1f11-1f11-111f-f11f-ffff111ffff1
export TOKEN=f1ff11ff-ff11-1fff-ffff-1f1111111f1
curl -k --request PUT --url https://${YBA_HOST}/api/v1/customers/${CUUID}/runtime_config/00000000-0000-0000-0000-000000000000/key/yb.runtime_conf_ui.tag_filter --header 'Content-Type: text/plain' --header "X-AUTH-YW-API-TOKEN: ${TOKEN}" --data '["PUBLIC","UIDriven"]'
{"success":true}

Navigate to 'Admin' -> 'Advanced' -> 'Global Configuration' in the UI

before running the curl command:

after running the curl command:

• The relevant config parameters are:

yb.security.type=OIDC
yb.security.clientID
yb.security.secret
yb.security.discoveryURI
yb.security.oidcScope
yb.security.oidcEmailAttribute

These correspond with the fields in the OIDC UI.

Note that the value for yb.security.discoveryURI must be wrapped in double quotes, e.g. "https://myoidcprovider.com/.well-known/openid-configuration".

Select the required key, and click on 'Actions' -> 'Edit Configuration

Add the required value and click 'Save'

• After setting the OIDC configuration, be sure to revert the yb.runtime_conf_ui.tag_filter configuration variable back to default.

e.g. 

curl -k --request DELETE --url https://${YBA_HOST}/api/v1/customers/${CUUID}/runtime_config/00000000-0000-0000-0000-000000000000/key/yb.runtime_conf_ui.tag_filter --header 'Content-Type: text/plain' --header "X-AUTH-YW-API-TOKEN: ${TOKEN}"

where:

${YBA_HOST} is the YB Anywhere hostname or ip address

${CUUID} is the cuctomer uuid which can be seen in the user profile

${TOKEN} is the API token generated for your api access

Note that the '00000000-0000-0000-0000-000000000000' is intentional as it denotes the global scope.

The expected return is '{"success":true}':

curl -k --request DELETE --url https://${YBA_HOST}/api/v1/customers/${CUUID}/runtime_config/00000000-0000-0000-0000-000000000000/key/yb.runtime_conf_ui.tag_filter --header 'Content-Type: text/plain' --header "X-AUTH-YW-API-TOKEN: ${TOKEN}"
{"success":true}

After successfully running the curl command, the OIDC values will no longer be shown: